Dear all,

I need to renew my certificat for my website, but somehow I run into troubles, here are the answers to the general questions:

My domain is: www.3bij3.nl

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/www.3bij3.nl.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.3bij3.nl
http-01 challenge for 3bij3.nl
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.3bij3.nl) from /etc/letsencrypt/renewal/www.3bij3.nl.conf produced an unexpected error: Failed authorization procedure. www.3bij3.nl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.3bij3.nl/.well-known/acme-challenge/uJo9XZ_E61EpIw5GjKXJzV2wJVeBVLazoACfMOUiZjI: "

Welkom op 3bij3 <meta name="viewport" content="width=device-width, ini", 3bij3.nl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://3bij3.nl/.well-known/acme-challenge/DapX28z034TaJTMQRSLinxUBaOeqnnArpZTmKLRgpzU: " Welkom op 3bij3 <meta name="viewport" content="width=device-width, ini". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem (failure)

---

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.3bij3.nl/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.3bij3.nl
  Type: unauthorized
  Detail: Invalid response from
  http://www.3bij3.nl/.well-known/acme-challenge/uJo9XZ_E61EpIw5GjKXJzV2wJVeBVLazoACfMOUiZjI:
  "

  Welkom op 3bij3 <meta name="viewport" content="width=device-width, ini"

  Domain: 3bij3.nl
  Type: unauthorized
  Detail: Invalid response from
  http://3bij3.nl/.well-known/acme-challenge/DapX28z034TaJTMQRSLinxUBaOeqnnArpZTmKLRgpzU:
  "

  Welkom op 3bij3 <meta name="viewport" content="width=device-width, ini"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: strato.nl

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

My nginx configuration is as follows:

server {
# listen on port 80 (http)
listen 80;
server_name _;
location / {
# redirect any requests to the same URL but on https
return 301 https://$host$request_uri;
}
}
server {
# listen on port 443 (https)
listen 443 ssl;
server_name _;

# location of the certificate                                                                                             
    ssl_certificate /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.3bij3.nl/privkey.pem;

# write access and error logs to /var/log                                                                                                   
    access_log /var/log/3bij3_access.log;
        error_log /var/log/3bij3_error.log;

location / {
        # forward application requests to the gunicorn server                                                                               
                proxy_pass 127.0.0.1:8000;
                        proxy_redirect off;
                                proxy_set_header Host $host;
                                        proxy_set_header X-Real-IP $remote_addr;
                                                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                                                    }
location /static {
        # handle static files directly, without forwarding to the application                                                               
                alias /home/felicia/3bij3/app/static;
                        expires 30d;
                            }
                            }

I do not know what is not working, please let me know if you need any additional information to help me!

Hi,

You are using a proxy to redirect all queries to backend server, which also redirected the certbot query.

In order for this to work, add the following block before / after the location /

    location ~ /.well-known {
                   allow all;
           }

Thank you

Thank you for your fast answer! I added it like this:

server {

listen on port 80 (http)

listen 80;
server_name _;
location / {

redirect any requests to the same URL but on https

return 301 https://$host$request_uri;
}
}
server {

listen on port 443 (https)

listen 443 ssl;
server_name _;

location of the certificate

ssl_certificate /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.3bij3.nl/privkey.pem;

write access and error logs to /var/log

access_log /var/log/3bij3_access.log;
    error_log /var/log/3bij3_error.log;

location / {
# forward application requests to the gunicorn server
proxy_pass 127.0.0.1:8000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /static {
# handle static files directly, without forwarding to the application
alias /home/felicia/3bij3/app/static;
expires 30d;
}
}
location ~ /.well-known {
allow all;
}

But it still does not work, I get the same error - or did I insert it at the wrong place?

Hi,

Can you please try placing that block before the first https location block (the proxy one)?

Thank you

Hey,

hmm… now it looks like this:

server {
# listen on port 80 (http)
listen 80;
server_name _;
location /
{
# redirect any requests to the same URL but on https
return 301 https://$host$request_uri;
}
}
server {
# listen on port 443 (https)
listen 443 ssl;
server_name _;

# location of the self-signed SSL certificate                                                                                               
    ssl_certificate /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.3bij3.nl/privkey.pem;

# write access and error logs to /var/log                                                                                                   
    access_log /var/log/3bij3_access.log;
        error_log /var/log/3bij3_error.log;

location ~ /.well-known {
allow all;
}

location / {
# forward application requests to the gunicorn server
proxy_pass 127.0.0.1:8000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /static {
        # handle static files directly, without forwarding to the application                                                               
                alias /home/felicia/3bij3/app/static;
                        expires 30d;
                            }
                            }

But I still get the same issue and now when I try to reload nginx I get an error saying: nginx: [emerg] invalid URL prefix in /etc/nginx/sites-enabled/3bij3.conf:29

Sorry if I am asking stupid questions, I am completely new to this…

Ok…

That’s a little bit wierd…

Can you check your let’s encrypt renew config? (Why does using webroot produce an 404?)

server {
# listen on port 443 (https)
listen 443 ssl;
server_name _;

# location of the certificate                                                                                             
    ssl_certificate /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.3bij3.nl/privkey.pem;

# write access and error logs to /var/log                                                                                                   
    access_log /var/log/3bij3_access.log;
        error_log /var/log/3bij3_error.log;

location ~ /.well-known {
              allow all;
}
location / {
        # forward application requests to the gunicorn server                                                                               
                proxy_pass 127.0.0.1:8000;
                        proxy_redirect off;
                                proxy_set_header Host $host;
                                        proxy_set_header X-Real-IP $remote_addr;
                                                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                                                    }
location /static {
        # handle static files directly, without forwarding to the application                                                               
                alias /home/felicia/3bij3/app/static;
                        expires 30d;
             }
  }

do you mean this:

renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /etc/letsencrypt/archive/www.3bij3.nl
cert = /etc/letsencrypt/live/www.3bij3.nl/cert.pem
privkey = /etc/letsencrypt/live/www.3bij3.nl/privkey.pem
chain = /etc/letsencrypt/live/www.3bij3.nl/chain.pem
fullchain = /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
webroot_path = /var/www/letsencrypt,
account = a711e55840f71576a1fb61013048c7fc
installer = None
[[webroot_map]]
www.3bij3.nl = /var/www/letsencrypt
3bij3.nl = /var/www/letsencrypt

Hi @FeLoe,

Replace this:

location ~ /.well-known {
              allow all;
}

by this:

location ~ /.well-known {
    default_type "text/plain";
    root /var/www/letsencrypt; 
}

Restart nginx and before trying to issue a certificate, first check that you can get a test file:

mkdir -p /var/www/letsencrypt/.well-known/acme-challenge/
echo "This is a test" >  /var/www/letsencrypt/.well-known/acme-challenge/test

And try to get that file from command line:

curl -ikL http://www.3bij3.nl/.well-known/acme-challenge/test

or using you browser http://www.3bij3.nl/.well-known/acme-challenge/test

If you get the text “This is a test” then go ahead and try to issue your cert.

Good luck,
sahsanu

Hey @sahsanu,

I’ve tried it, but when I do

sudo service nginx reload

it does not work and I get

Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

and when looking at journalctl -xe it shows:

nginx: [emerg] invalid URL prefix in /etc/nginx/sites-enabled/3bij3.conf:30

So I cannot restart nginx…

@sahsanu @stevenzhu - found it! Apparently I needed to add http:// before the proxy_pass in nginx (although I never had to do this before) and now everything works! Thank you both so much for your help and time! I have my certificates now

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.